File and Directory Ownership

Traditional UNIX file permissions can assign ownership to three classes
of users:

user – The file or
directory owner, which is usually the user who created the file. The owner
of a file can decide who has the right to read the file, to write to the file
(make changes to it), or, if the file is a command, to execute the file.

group – Members of
a group of users.

others – All other
users who are not the file owner and are not members of the group.

The owner of the file can usually assign or modify file permissions.
Additionally, users or roles with administrative capabilities, such as superuser
or the Primary Administrator role, can change a file's ownership. To override
system policy, see Example 6–2.

A file can be one of seven types.
Each type is displayed by a symbol:

- (Minus symbol)

Text or program

b

Block special file

c

Character special file

d

Directory

l

Symbolic link

s

Socket

D

Door

P

Named pipe (FIFO)

UNIX File Permissions

The following table lists and describes the permissions that you can
give to each class of user for a file or directory.

Table 6–2 File and Directory Permissions

Symbol

Permission

Object

Description

r

Read

File

Designated users can open and read the contents of a file.

Directory

Designated users can list files in the directory.

w

Write

File

Designated users can modify the contents of the file or delete the file.

Directory

Designated users can add files or add links in the directory. They can
also remove files or remove links in the directory.

x

Execute

File

Designated users can execute the file, if it is a program or shell script.
They also can run the program with one of the exec(2) system
calls.

Directory

Designated users can open files or execute files in the directory. They
also can make the directory and the directories beneath it current.

-

Denied

File and Directory

Designated users cannot read, write, or execute the file.

These file permissions apply to regular files, and to special files
such as devices, sockets, and named pipes (FIFOs).

For a symbolic link, the permissions that apply are the permissions
of the file that the link points to.

You can protect the files in a directory and its subdirectories by setting
restrictive file permissions on that directory. Note, however, that superuser
has access to all files and directories on the system.

Special File Permissions (setuid, setgid and Sticky Bit)

Three special types of permissions are available for executable files
and public directories: setuid, setgid,
and sticky bit. When these permissions are set, any user who runs that executable
file assumes the ID of the owner (or group) of the executable file.

You must be extremely careful when you set special permissions, because
special permissions constitute a security risk. For example, a user can gain
superuser capabilities by executing a program that sets the user ID (UID)
to 0, which is the UID of root. Also,
all users can set special permissions for files that they own, which constitutes
another security concern.

You should monitor your system for any unauthorized use of the setuid permission and the setgid permission to gain
superuser capabilities. A suspicious permission grants ownership of an administrative
program to a user rather than to root or bin.
To search for and list all files that use this special permission, see How to Find Files With Special File Permissions.

setuid Permission

When setuid permission is set on an executable file,
a process that runs this file is granted access on the basis of the owner
of the file. The access is not based on the user who
is running the executable file. This special permission allows a user to access
files and directories that are normally available only to the owner.

For example, the setuid permission on the passwd command makes it possible for users to change passwords. A passwd command with setuid permission would resemble
the following:

-r-sr-sr-x 3 root sys 28144 Jun 17 12:02 /usr/bin/passwd

This special permission presents a security risk. Some determined
users can find a way to maintain the permissions that are granted to them
by the setuid process even after the process has finished
executing.

Note –

The use of setuid permissions with the reserved
UIDs (0–100) from a program might not set the effective UID correctly.
Use a shell script, or avoid using the reserved UIDs with setuid permissions.

setgid Permission

The setgid permission is similar to the setuid permission.
The process's effective group ID (GID) is changed to the group that owns the
file, and a user is granted access based on the permissions that are granted
to that group. The /usr/bin/mail command has setgid permissions:

-r-x--s--x 1 root mail 67504 Jun 17 12:01 /usr/bin/mail

When the setgid permission is applied to a directory,
files that were created in this directory belong to the group to which the
directory belongs. The files do not belong to the group to which the creating
process belongs. Any user who has write and execute permissions in the directory
can create a file there. However, the file belongs to the group that owns
the directory, not to the group that the user belongs to.

You should monitor your system
for any unauthorized use of the setgid permission to gain
superuser capabilities. A suspicious permission grants group access to such
a program to an unusual group rather than to root or bin. To search for and list all files that use this permission,
see How to Find Files With Special File Permissions.

Sticky Bit

The sticky bit is a permission bit that protects
the files within a directory. If the directory has the sticky bit set, a file
can be deleted only by the file owner, the directory owner, or by a privileged
user. The root user and the Primary Administrator role
are examples of privileged users. The sticky bit prevents a user from deleting
other users' files from public directories such as /tmp:

drwxrwxrwt 7 root sys 400 Sep 3 13:37 tmp

Be sure
to set the sticky bit manually when you set up a public directory on a TMPFS
file system. For instructions, see Example 6–5.

Default umask Value

When you create a file or directory, you create it with a default set
of permissions. The system defaults are open. A text file has 666 permissions,
which grants read and write permission to everyone. A directory and an executable
file have 777 permissions, which grants read, write, and
execute permission to everyone. Typically, users override the system defaults
in their /etc/profile file, .cshrc file,
or .login file.

The value assigned by the umask command is subtracted
from the default. This process has the effect of denying permissions in the
same way that the chmod command grants them. For example,
the chmod 022 command grants write permission to group
and others. The umask 022 command denies write permission
to group and others.

The following table shows some typical umask settings and their effect on an executable file.

Table 6–3 umask Settings
for Different Security Levels

Level of Security

umask Setting

Permissions Disallowed

Permissive (744)

022

w for group and others

Moderate (740)

027

w for group, rwx for others

Moderate (741)

026

w for group, rw for others

Severe (700)

077

rwx for group and others

For more information on setting the umask value,
see the umask(1) man
page.

File Permission Modes

The chmod command enables you to change the permissions
on a file. You must be superuser or the owner of a file or directory to change
its permissions.

You can use the chmod command to set permissions
in either of two modes:

Absolute Mode – Use numbers to represent file
permissions. When you change permissions by using the absolute mode, you represent
permissions for each triplet by an octal mode number. Absolute mode is the
method most commonly used to set permissions.

Symbolic Mode – Use combinations of letters
and symbols to add permissions or remove permissions.

The following table lists
the octal values for setting file permissions in absolute mode. You use these
numbers in sets of three to set permissions for owner, group, and other, in
that order. For example, the value 644 sets read and write
permissions for owner, and read-only permissions for group and other.

Table 6–4 Setting File Permissions in Absolute
Mode

Octal Value

File Permissions Set

Permissions Description

0

---

No permissions

1

--x

Execute permission only

2

-w-

Write permission only

3

-wx

Write and execute permissions

4

r--

Read permission only

5

r-x

Read and execute permissions

6

rw-

Read and write permissions

7

rwx

Read, write, and execute permissions

The following
table lists the symbols for setting file permissions in symbolic mode. Symbols
can specify whose permissions are to be set or changed, the operation to be
performed, and the permissions that are being assigned or changed.

Table 6–5 Setting File Permissions in Symbolic
Mode

Symbol

Function

Description

u

who

User (owner)

g

who

Group

o

who

Others

a

who

All

=

operator

Assign

+

operator

Add

-

operator

Remove

r

permissions

Read

w

permissions

Write

x

permissions

Execute

l

permissions

Mandatory locking, setgid bit is on, group execution
bit is off

s

permissions

setuid or setgid bit is on

t

permissions

Sticky bit is on, execution bit for others is on

The who operator permissions designations
in the function column specify the symbols that change the permissions on
the file or directory.

who

Specifies whose permissions are to be changed.

operator

Specifies the operation to be performed.

permissions

Specifies what permissions are to be changed.

You can set
special permissions on a file in absolute mode or symbolic mode. However,
you must use symbolic mode to set or remove setuid permissions
on a directory. In absolute mode, you set special permissions by adding a
new octal value to the left of the permission triplet. The following table
lists the octal values for setting special permissions on a file.